You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@directory.apache.org by Nowhere <sp...@gmail.com> on 2009/02/18 11:34:55 UTC
ApacheDs - DIGEST-MD5
Hi all,
I don't know if this is the right place, but I have a problem connecting my
ApacheDS using DIGEST-MD5:
i wrote a simple java class that works fine with simple authentication.
Here it's:
public static void main(String[] args) throws NamingException {
if (args.length < 2) {
System.err.println("Usage: java AdvancedBindDemo <uid>
<password>");
System.exit(1);
}
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY,
"com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldap://localhost:10389/");
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, "cn=admin,dc=example,dc=com");
env.put(Context.SECURITY_CREDENTIALS, "admin");
...
But if a replace "env.put(Context.SECURITY_AUTHENTICATION, "simple")" with
env.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5") and sends pwd in
clear or encrypted it sends me the following error:
[LDAP: error code 49 - INVALID_CREDENTIALS: DIGEST-MD5: cannot acquire
password
for cn=admin,dc=example,dc=com in realm : example.com]
I've tried (by Apache Studio ) to set password for
"cn=admin,dc=example,dc=com" both in clear text then using MD5..
What's wrong? Something in my server.xml? If you need it, let me knom!
I hope someone can help me, i'm a newbie in LDAP authentication!
Thanks in advance!
--
View this message in context: http://www.nabble.com/ApacheDs---DIGEST-MD5-tp22076098p22076098.html
Sent from the Apache Directory Project mailing list archive at Nabble.com.
Re: ApacheDs - DIGEST-MD5
Posted by Nowhere <sp...@gmail.com>.
Hi,
Kiran excuse me for attachements, i tried to provide for you a paste bin:
my java class: http://pastebin.com/m748ea714
my server.xml: http://pastebin.com/m1f899034
Hoping this can help...
As you see, I can authenticate successful using only uid (or cn), that is
"adminrosa". If, instead I use "cn=adminrosa,dc=example,dc=com", I get
following exception:
javax.naming.AuthenticationException: [LDAP: error code 49 -
INVALID_CREDENTIALS
: DIGEST-MD5: cannot acquire password for cn=adminrosa,dc=example,dc=com in
real
m : example.com]
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3005)...
ayyagarikiran wrote:
>
>
>> It uses dn found, that isn't only cn. Can't I change this server
>> beahoviur
>> and execute bind with full dn?
>
> AFAIK, if you are using ApacheDS then the only way the authentication
> works is by specifying the full DN
> Isn't it in your case?
>
>> For more clarity I upload the entire java class.
>
> Attachments will be stripped by the spam filter may be you can use a paste
> bin and provide a link
>
> Kiran Ayyagari
>
>
--
View this message in context: http://www.nabble.com/ApacheDs---DIGEST-MD5-tp22076098p22078642.html
Sent from the Apache Directory Project mailing list archive at Nabble.com.
Re: ApacheDs - DIGEST-MD5
Posted by ayyagarikiran <ay...@gmail.com>.
> It uses dn found, that isn't only cn. Can't I change this server beahoviur
> and execute bind with full dn?
AFAIK, if you are using ApacheDS then the only way the authentication works is by specifying the full DN
Isn't it in your case?
> For more clarity I upload the entire java class.
Attachments will be stripped by the spam filter may be you can use a paste bin and provide a link
Kiran Ayyagari
Re: ApacheDs - DIGEST-MD5
Posted by Nowhere <sp...@gmail.com>.
Sorry Stephan,
I have seen your post only now.
Stefan Zoerner-2 wrote:
>
>
> Is the value of the fullname and the uid attribute of your users the
> same? I would it expect that it works with uid only; the CN is not
> necessarily unique.
>
> I caused a little misunderstang, "fullname" is the value of uid for my
> user and not the attibute, so I'm looking using a unique uid.
>
> Why do you want to perform a search and use the DN, if you can use the
> unique uis immediatly? Do you plan to use another attribute for logon
> (like mail)?
>
> I would search using dn to test the code of that class I attacched and not
> to have to do parsing of dn got by search.
> But the really reason is that I'm trying to use ApacheDs with Alfresco
> (surely you have heard about that) and I'm encountering problems so I
> would like to prove all possible configurations to get it working. I made
> a test class to prove my server firstly. Using only uid works with my test
> class, but not with alfresco. Now, unless, I know it's an alfresco bug or
> configuration problem, but my server is responding and I can correctly
> interrogate it.
>
> Greetings from Hamburg,
> Stefan
>
> Greetings from Italy,
> Nowhere
>
>
>
>
>
>
>
--
View this message in context: http://www.nabble.com/ApacheDs---DIGEST-MD5-tp22076098p22081249.html
Sent from the Apache Directory Project mailing list archive at Nabble.com.
Re: ApacheDs - DIGEST-MD5
Posted by Stefan Zoerner <st...@labeo.de>.
Nowhere wrote:
> thanks for you interesting...
> I can't say what is my command line...I don't understand what you mean,
> sorry :(
> Perhaps you mean java command line? I use: java AdvancedBindDemo fullname
> inClearText where fullname exists on my server. If I change my code from:
>
> ---> // Step 3: Bind with found DN and given password
> ctx.addToEnvironment(Context.SECURITY_PRINCIPAL, dn);
> ctx.addToEnvironment(Context.SECURITY_CREDENTIALS, password);
> // Perform a lookup in order to force a bind operation with JNDI
> ctx.lookup(dn); <------
>
> TO:
>
> ---> // Step 3: Bind with found DN and given password
> ctx.addToEnvironment(Context.SECURITY_PRINCIPAL, "fullname");
> ctx.addToEnvironment(Context.SECURITY_CREDENTIALS, password);
> // Perform a lookup in order to force a bind operation with JNDI
> ctx.lookup(dn); <---
>
> Where I force cn I wish to use (and replace full dn) it works fine. With dn
> I get the exception I said in previous post.
Yes, thanks that was what I meant. I see much clearer now.
> Anyway I can tell you it works for several users, yes... my problem is
> getting it working with full dn and not only uid or cn...Sorry if I can't
> explain it in a better way.
> Thanks...any else question or help will be appreciated,
Is the value of the fullname and the uid attribute of your users the
same? I would it expect that it works with uid only; the CN is not
necessarily unique.
Why do you want to perform a search and use the DN, if you can use the
unique uis immediatly? Do you plan to use another attribute for logon
(like mail)?
Greetings from Hamburg,
Stefan
Re: ApacheDs - DIGEST-MD5
Posted by Nowhere <sp...@gmail.com>.
Yes,
I already read the java sun documentation at link you quote and many others
forums intervent and guide about that...but I'm a little hard bitten, I
think there is always something else to try. But now you have persuaded me
:)
Thanks for patience.
Emmanuel Lecharny wrote:
>
>> Thanks for reply.
>> I was looking for using dn, but I didn't find solutions.
>> Have a good day.
>
> This is server specific. Sun JNDI tutorial is explicit about the
> principalname :
>
> "Context.SECURITY_PRINCIPAL(in the API reference documentation).
> Set to the principal name. This is a server-specific format. Some
> servers support a login user id format, such as that defined for Unix
> or Windows login screens. Others accept a distinguished name. Yet
> others use the authorization id formats defined in RFC 2829. In that
> RFC, the name should be either the string "dn:", followed by the fully
> qualified DN of the entity being authenticated, or the string "u:",
> followed by the user id. Some servers accept multiple formats.
> Examples of some of these formats are "cuser", "dn: cn=C. User,
> ou=NewHires, o=JNDITutorial", and "u: cuser" The data type of this
> property must be java.lang.String. "
>
> (http://java.sun.com/products/jndi/tutorial/ldap/security/digest.html)
>
> You may like it or not, but if the server does not support a DN, there
> is nothing you can do but comply to the server implementation ...
>
> Sorry about that.
>
> --
> Regards,
> Cordialement,
> Emmanuel Lécharny
> www.iktek.com
>
>
--
View this message in context: http://www.nabble.com/ApacheDs---DIGEST-MD5-tp22076098p22080939.html
Sent from the Apache Directory Project mailing list archive at Nabble.com.
Re: ApacheDs - DIGEST-MD5
Posted by Emmanuel Lecharny <el...@apache.org>.
> Thanks for reply.
> I was looking for using dn, but I didn't find solutions.
> Have a good day.
This is server specific. Sun JNDI tutorial is explicit about the principalname :
"Context.SECURITY_PRINCIPAL(in the API reference documentation).
Set to the principal name. This is a server-specific format. Some
servers support a login user id format, such as that defined for Unix
or Windows login screens. Others accept a distinguished name. Yet
others use the authorization id formats defined in RFC 2829. In that
RFC, the name should be either the string "dn:", followed by the fully
qualified DN of the entity being authenticated, or the string "u:",
followed by the user id. Some servers accept multiple formats.
Examples of some of these formats are "cuser", "dn: cn=C. User,
ou=NewHires, o=JNDITutorial", and "u: cuser" The data type of this
property must be java.lang.String. "
(http://java.sun.com/products/jndi/tutorial/ldap/security/digest.html)
You may like it or not, but if the server does not support a DN, there
is nothing you can do but comply to the server implementation ...
Sorry about that.
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com
Re: ApacheDs - DIGEST-MD5
Posted by Nowhere <sp...@gmail.com>.
Thanks for reply.
I was looking for using dn, but I didn't find solutions.
Have a good day.
Emmanuel Lecharny wrote:
>
>> and created my tree dc=example,dc=com in ou=system, so I have a user with
>> following dn: uid=adminrosa,dc=example,dc=com,ou=system
>>
>> So, I could try something as "env.put(Context.SECURITY_PRINCIPAL,
>> "uid=adminrosa,dc=example,dc=com")" and it would look for an entry
>> "uid=adminrosa,dc=example,dc=com,ou=system", that is my principal + <my
>> baseSearchDN> as defined in the server.xml
>>
>> It still not working, where is my dummy error? :(
>
> look for "adminrosa", not for its dn.
>
> --
> Regards,
> Cordialement,
> Emmanuel Lécharny
> www.iktek.com
>
>
--
View this message in context: http://www.nabble.com/ApacheDs---DIGEST-MD5-tp22076098p22080571.html
Sent from the Apache Directory Project mailing list archive at Nabble.com.
Re: ApacheDs - DIGEST-MD5
Posted by Emmanuel Lecharny <el...@apache.org>.
> and created my tree dc=example,dc=com in ou=system, so I have a user with
> following dn: uid=adminrosa,dc=example,dc=com,ou=system
>
> So, I could try something as "env.put(Context.SECURITY_PRINCIPAL,
> "uid=adminrosa,dc=example,dc=com")" and it would look for an entry
> "uid=adminrosa,dc=example,dc=com,ou=system", that is my principal + <my
> baseSearchDN> as defined in the server.xml
>
> It still not working, where is my dummy error? :(
look for "adminrosa", not for its dn.
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com
Re: ApacheDs - DIGEST-MD5
Posted by Nowhere <sp...@gmail.com>.
First of all thanks for your reply!
I was wondering about that, also if I don't know openldap, it's my first
meet whit Directory server and ldap, so my questions are very dummy
question.
Just thinking of what you said me, I modified my server.xml so:
<ldapService id="ldapService"
ipPort="10389"
allowAnonymousAccess="false"
saslHost="ldap.example.com"
saslPrincipal="ldap/admin@EXAMPLE.COM"
searchBaseDn="ou=system"
maxTimeLimit="15000"
maxSizeLimit="1000">
and created my tree dc=example,dc=com in ou=system, so I have a user with
following dn: uid=adminrosa,dc=example,dc=com,ou=system
So, I could try something as "env.put(Context.SECURITY_PRINCIPAL,
"uid=adminrosa,dc=example,dc=com")" and it would look for an entry
"uid=adminrosa,dc=example,dc=com,ou=system", that is my principal + <my
baseSearchDN> as defined in the server.xml
It still not working, where is my dummy error? :(
Emmanuel Lecharny wrote:
>
> The way it's implemented is that it looks up for a password of an
> entry using this search filter :
> "uid=<your user>,<your baseSearchDN>"
>
> so in your case, for a user named 'admin', and if your search base DN
> is "dc=example, dc=com", it's searching for the password of an entry
> which DN is "uid=admin,dc=example,dc=com".
>
> If your user name is a DN, then it will lookup for an entry like
> "uid=uid=admin, dc=example,dc=com,dc=example,dc=com"...
>
> Not likely to find the password :)
>
> Now, it may be a bit too rigid, and we can discuss a better way to
> handle such mechanisms, but that's another story. FYI, OpenLDAP uses
> some configuration to manage SASL auth :
>
> "Now, you should set the sasl-regexp directive in the slapd.conf file
> before starting the slapd daemon and testing the authentication. My
> slapd.conf file resides at /usr/local/etc/openldap:
>
> sasl-regexp uid=(.*),cn=rdnt03,cn=DIGEST-MD5,cn=auth
> uid=$1,ou=People,o=Ever
>
> This parameter is in the format of:
>
> uid=<username>,cn=<realm>,cn=<mech>,cn=auth
>
> The username is taken from sasl and inserted into the ldap search
> string in the place of $1"
>
> --
> Regards,
> Cordialement,
> Emmanuel Lécharny
> www.iktek.com
>
>
--
View this message in context: http://www.nabble.com/ApacheDs---DIGEST-MD5-tp22076098p22079785.html
Sent from the Apache Directory Project mailing list archive at Nabble.com.
Re: ApacheDs - DIGEST-MD5
Posted by Emmanuel Lecharny <el...@apache.org>.
The way it's implemented is that it looks up for a password of an
entry using this search filter :
"uid=<your user>,<your baseSearchDN>"
so in your case, for a user named 'admin', and if your search base DN
is "dc=example, dc=com", it's searching for the password of an entry
which DN is "uid=admin,dc=example,dc=com".
If your user name is a DN, then it will lookup for an entry like
"uid=uid=admin, dc=example,dc=com,dc=example,dc=com"...
Not likely to find the password :)
Now, it may be a bit too rigid, and we can discuss a better way to
handle such mechanisms, but that's another story. FYI, OpenLDAP uses
some configuration to manage SASL auth :
"Now, you should set the sasl-regexp directive in the slapd.conf file
before starting the slapd daemon and testing the authentication. My
slapd.conf file resides at /usr/local/etc/openldap:
sasl-regexp uid=(.*),cn=rdnt03,cn=DIGEST-MD5,cn=auth uid=$1,ou=People,o=Ever
This parameter is in the format of:
uid=<username>,cn=<realm>,cn=<mech>,cn=auth
The username is taken from sasl and inserted into the ldap search
string in the place of $1"
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com
Re: ApacheDs - DIGEST-MD5
Posted by Nowhere <sp...@gmail.com>.
Hi Stefan,
thanks for you interesting...
I can't say what is my command line...I don't understand what you mean,
sorry :(
Perhaps you mean java command line? I use: java AdvancedBindDemo fullname
inClearText where fullname exists on my server. If I change my code from:
---> // Step 3: Bind with found DN and given password
ctx.addToEnvironment(Context.SECURITY_PRINCIPAL, dn);
ctx.addToEnvironment(Context.SECURITY_CREDENTIALS, password);
// Perform a lookup in order to force a bind operation with JNDI
ctx.lookup(dn); <------
TO:
---> // Step 3: Bind with found DN and given password
ctx.addToEnvironment(Context.SECURITY_PRINCIPAL, "fullname");
ctx.addToEnvironment(Context.SECURITY_CREDENTIALS, password);
// Perform a lookup in order to force a bind operation with JNDI
ctx.lookup(dn); <---
Where I force cn I wish to use (and replace full dn) it works fine. With dn
I get the exception I said in previous post.
Anyway I can tell you it works for several users, yes... my problem is
getting it working with full dn and not only uid or cn...Sorry if I can't
explain it in a better way.
Thanks...any else question or help will be appreciated,
greetings :-)
Stefan Zoerner-2 wrote:
>
> Which command line arguments do you use?
> admin admin? Or another user?
>
> If this works:
>
> env.put(Context.SECURITY_PRINCIPAL, "admin");
> env.put(Context.SECURITY_CREDENTIALS, "admin");
>
> it should work for other users as well. No? Have you tried it out with
> another user (for instance hard coded in the first place).
>
>
> Nowhere wrote:
>> Hi, I found it works fine so:
>>
>> Hashtable env = new Hashtable();
>> env.put(Context.INITIAL_CONTEXT_FACTORY,
>> "com.sun.jndi.ldap.LdapCtxFactory");
>> env.put(Context.PROVIDER_URL, "ldap://ldap.example.com:10389/");
>> env.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5");
>> env.put(Context.SECURITY_PRINCIPAL, "admin");
>> env.put(Context.SECURITY_CREDENTIALS, "admin");
>> // Specify realm
>> env.put( "java.naming.security.sasl.realm", "example.com" );
>>
>> // Request privacy protection
>> env.put( "javax.security.sasl.qop", "auth-conf" );
>>
>> but I would like to perform a search and authenticate with the user found
>> as
>> the following code shows:
>>
>> ctx = new InitialDirContext(env);
>>
>> // Step 2: Search the directory
>> String base = "dc=example,dc=com";
>> String filter = "(&(objectClass=inetOrgPerson)(uid={0}))";
>> SearchControls ctls = new SearchControls();
>> ctls.setSearchScope(SearchControls.SUBTREE_SCOPE);
>> ctls.setReturningAttributes(new String[0]);
>> ctls.setReturningObjFlag(true);
>> NamingEnumeration enm = ctx.search(base, filter, new String[]
>> {
>> uid }, ctls);
>>
>> String dn = null;
>> if (enm.hasMore()) {
>> SearchResult result = (SearchResult) enm.next();
>> dn = result.getNameInNamespace();
>>
>> System.out.println("dn: "+dn);
>> }
>>
>> if (dn == null || enm.hasMore()) {
>> // uid not found or not unique
>> throw new NamingException("Authentication failed");
>> }
>>
>> // Step 3: Bind with found DN and given password
>> ctx.addToEnvironment(Context.SECURITY_PRINCIPAL, dn);
>> ctx.addToEnvironment(Context.SECURITY_CREDENTIALS, password);
>> // Perform a lookup in order to force a bind operation with
>> JNDI
>> ctx.lookup(dn);
>> System.out.println("Authentication successful");
>>
>> It uses dn found, that isn't only cn. Can't I change this server
>> beahoviur
>> and execute bind with full dn?
>> For more clarity I upload the entire java class.
>> Thanks in advance!
>>
>>
>> Nowhere wrote:
>>> Hi, here I'm again...was I mistake of mine, It doesn't work with
>>> DIGEST-MD5 (I left "simple" in my previous test) :(
>>> I repeat the not working configuration:
>>>
>>> env.put(Context.INITIAL_CONTEXT_FACTORY,
>>> "com.sun.jndi.ldap.LdapCtxFactory");
>>> env.put(Context.PROVIDER_URL, "ldap://ldap.example.com:10389/");
>>> env.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5");
>>> env.put(Context.SECURITY_PRINCIPAL,
>>> "cn=admin,dc=example,dc=com");
>>> env.put(Context.SECURITY_CREDENTIALS, "admin");
>>> // Specify realm
>>> env.put( "java.naming.security.sasl.realm", "example.com" );
>>>
>>> // Request privacy protection
>>> env.put( "javax.security.sasl.qop", "auth-conf" );
>>> ...
>>>
>>> and I upload my server.xml, if it can help.
>>>
>>> Any suggestion?
>>>
>>>
>>> Nowhere wrote:
>>>> Hi all,
>>>> I don't know if this is the right place, but I have a problem
>>>> connecting
>>>> my ApacheDS using DIGEST-MD5:
>>>>
>>>> i wrote a simple java class that works fine with simple authentication.
>>>> Here it's:
>>>> public static void main(String[] args) throws NamingException {
>>>>
>>>> if (args.length < 2) {
>>>> System.err.println("Usage: java AdvancedBindDemo <uid>
>>>> <password>");
>>>> System.exit(1);
>>>> }
>>>>
>>>> Hashtable env = new Hashtable();
>>>> env.put(Context.INITIAL_CONTEXT_FACTORY,
>>>> "com.sun.jndi.ldap.LdapCtxFactory");
>>>> env.put(Context.PROVIDER_URL, "ldap://localhost:10389/");
>>>> env.put(Context.SECURITY_AUTHENTICATION, "simple");
>>>> env.put(Context.SECURITY_PRINCIPAL,
>>>> "cn=admin,dc=example,dc=com");
>>>> env.put(Context.SECURITY_CREDENTIALS, "admin");
>>>>
>>>> ...
>>>>
>>>> But if a replace "env.put(Context.SECURITY_AUTHENTICATION, "simple")"
>>>> with env.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5") and sends
>>>> pwd
>>>> in clear or encrypted it sends me the following error:
>>>>
>>>> [LDAP: error code 49 - INVALID_CREDENTIALS: DIGEST-MD5: cannot acquire
>>>> password
>>>> for cn=admin,dc=example,dc=com in realm : example.com]
>>>>
>>>> I've tried (by Apache Studio ) to set password for
>>>> "cn=admin,dc=example,dc=com" both in clear text then using MD5..
>>>> What's wrong? Something in my server.xml? If you need it, let me knom!
>>>> I hope someone can help me, i'm a newbie in LDAP authentication!
>>>> Thanks in advance!
>>>>
>>> http://www.nabble.com/file/p22076693/server.xml server.xml
>>>
>> http://www.nabble.com/file/p22077027/AdvancedBindDemo.java
>> AdvancedBindDemo.java
>
>
>
>
--
View this message in context: http://www.nabble.com/ApacheDs---DIGEST-MD5-tp22076098p22078860.html
Sent from the Apache Directory Project mailing list archive at Nabble.com.
Re: ApacheDs - DIGEST-MD5
Posted by Stefan Zoerner <st...@labeo.de>.
Which command line arguments do you use?
admin admin? Or another user?
If this works:
env.put(Context.SECURITY_PRINCIPAL, "admin");
env.put(Context.SECURITY_CREDENTIALS, "admin");
it should work for other users as well. No? Have you tried it out with
another user (for instance hard coded in the first place).
Nowhere wrote:
> Hi, I found it works fine so:
>
> Hashtable env = new Hashtable();
> env.put(Context.INITIAL_CONTEXT_FACTORY,
> "com.sun.jndi.ldap.LdapCtxFactory");
> env.put(Context.PROVIDER_URL, "ldap://ldap.example.com:10389/");
> env.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5");
> env.put(Context.SECURITY_PRINCIPAL, "admin");
> env.put(Context.SECURITY_CREDENTIALS, "admin");
> // Specify realm
> env.put( "java.naming.security.sasl.realm", "example.com" );
>
> // Request privacy protection
> env.put( "javax.security.sasl.qop", "auth-conf" );
>
> but I would like to perform a search and authenticate with the user found as
> the following code shows:
>
> ctx = new InitialDirContext(env);
>
> // Step 2: Search the directory
> String base = "dc=example,dc=com";
> String filter = "(&(objectClass=inetOrgPerson)(uid={0}))";
> SearchControls ctls = new SearchControls();
> ctls.setSearchScope(SearchControls.SUBTREE_SCOPE);
> ctls.setReturningAttributes(new String[0]);
> ctls.setReturningObjFlag(true);
> NamingEnumeration enm = ctx.search(base, filter, new String[] {
> uid }, ctls);
>
> String dn = null;
> if (enm.hasMore()) {
> SearchResult result = (SearchResult) enm.next();
> dn = result.getNameInNamespace();
>
> System.out.println("dn: "+dn);
> }
>
> if (dn == null || enm.hasMore()) {
> // uid not found or not unique
> throw new NamingException("Authentication failed");
> }
>
> // Step 3: Bind with found DN and given password
> ctx.addToEnvironment(Context.SECURITY_PRINCIPAL, dn);
> ctx.addToEnvironment(Context.SECURITY_CREDENTIALS, password);
> // Perform a lookup in order to force a bind operation with JNDI
> ctx.lookup(dn);
> System.out.println("Authentication successful");
>
> It uses dn found, that isn't only cn. Can't I change this server beahoviur
> and execute bind with full dn?
> For more clarity I upload the entire java class.
> Thanks in advance!
>
>
> Nowhere wrote:
>> Hi, here I'm again...was I mistake of mine, It doesn't work with
>> DIGEST-MD5 (I left "simple" in my previous test) :(
>> I repeat the not working configuration:
>>
>> env.put(Context.INITIAL_CONTEXT_FACTORY,
>> "com.sun.jndi.ldap.LdapCtxFactory");
>> env.put(Context.PROVIDER_URL, "ldap://ldap.example.com:10389/");
>> env.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5");
>> env.put(Context.SECURITY_PRINCIPAL, "cn=admin,dc=example,dc=com");
>> env.put(Context.SECURITY_CREDENTIALS, "admin");
>> // Specify realm
>> env.put( "java.naming.security.sasl.realm", "example.com" );
>>
>> // Request privacy protection
>> env.put( "javax.security.sasl.qop", "auth-conf" );
>> ...
>>
>> and I upload my server.xml, if it can help.
>>
>> Any suggestion?
>>
>>
>> Nowhere wrote:
>>> Hi all,
>>> I don't know if this is the right place, but I have a problem connecting
>>> my ApacheDS using DIGEST-MD5:
>>>
>>> i wrote a simple java class that works fine with simple authentication.
>>> Here it's:
>>> public static void main(String[] args) throws NamingException {
>>>
>>> if (args.length < 2) {
>>> System.err.println("Usage: java AdvancedBindDemo <uid>
>>> <password>");
>>> System.exit(1);
>>> }
>>>
>>> Hashtable env = new Hashtable();
>>> env.put(Context.INITIAL_CONTEXT_FACTORY,
>>> "com.sun.jndi.ldap.LdapCtxFactory");
>>> env.put(Context.PROVIDER_URL, "ldap://localhost:10389/");
>>> env.put(Context.SECURITY_AUTHENTICATION, "simple");
>>> env.put(Context.SECURITY_PRINCIPAL,
>>> "cn=admin,dc=example,dc=com");
>>> env.put(Context.SECURITY_CREDENTIALS, "admin");
>>>
>>> ...
>>>
>>> But if a replace "env.put(Context.SECURITY_AUTHENTICATION, "simple")"
>>> with env.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5") and sends pwd
>>> in clear or encrypted it sends me the following error:
>>>
>>> [LDAP: error code 49 - INVALID_CREDENTIALS: DIGEST-MD5: cannot acquire
>>> password
>>> for cn=admin,dc=example,dc=com in realm : example.com]
>>>
>>> I've tried (by Apache Studio ) to set password for
>>> "cn=admin,dc=example,dc=com" both in clear text then using MD5..
>>> What's wrong? Something in my server.xml? If you need it, let me knom!
>>> I hope someone can help me, i'm a newbie in LDAP authentication!
>>> Thanks in advance!
>>>
>> http://www.nabble.com/file/p22076693/server.xml server.xml
>>
> http://www.nabble.com/file/p22077027/AdvancedBindDemo.java
> AdvancedBindDemo.java
Re: ApacheDs - DIGEST-MD5
Posted by Nowhere <sp...@gmail.com>.
Hi, I found it works fine so:
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY,
"com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldap://ldap.example.com:10389/");
env.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5");
env.put(Context.SECURITY_PRINCIPAL, "admin");
env.put(Context.SECURITY_CREDENTIALS, "admin");
// Specify realm
env.put( "java.naming.security.sasl.realm", "example.com" );
// Request privacy protection
env.put( "javax.security.sasl.qop", "auth-conf" );
but I would like to perform a search and authenticate with the user found as
the following code shows:
ctx = new InitialDirContext(env);
// Step 2: Search the directory
String base = "dc=example,dc=com";
String filter = "(&(objectClass=inetOrgPerson)(uid={0}))";
SearchControls ctls = new SearchControls();
ctls.setSearchScope(SearchControls.SUBTREE_SCOPE);
ctls.setReturningAttributes(new String[0]);
ctls.setReturningObjFlag(true);
NamingEnumeration enm = ctx.search(base, filter, new String[] {
uid }, ctls);
String dn = null;
if (enm.hasMore()) {
SearchResult result = (SearchResult) enm.next();
dn = result.getNameInNamespace();
System.out.println("dn: "+dn);
}
if (dn == null || enm.hasMore()) {
// uid not found or not unique
throw new NamingException("Authentication failed");
}
// Step 3: Bind with found DN and given password
ctx.addToEnvironment(Context.SECURITY_PRINCIPAL, dn);
ctx.addToEnvironment(Context.SECURITY_CREDENTIALS, password);
// Perform a lookup in order to force a bind operation with JNDI
ctx.lookup(dn);
System.out.println("Authentication successful");
It uses dn found, that isn't only cn. Can't I change this server beahoviur
and execute bind with full dn?
For more clarity I upload the entire java class.
Thanks in advance!
Nowhere wrote:
>
> Hi, here I'm again...was I mistake of mine, It doesn't work with
> DIGEST-MD5 (I left "simple" in my previous test) :(
> I repeat the not working configuration:
>
> env.put(Context.INITIAL_CONTEXT_FACTORY,
> "com.sun.jndi.ldap.LdapCtxFactory");
> env.put(Context.PROVIDER_URL, "ldap://ldap.example.com:10389/");
> env.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5");
> env.put(Context.SECURITY_PRINCIPAL, "cn=admin,dc=example,dc=com");
> env.put(Context.SECURITY_CREDENTIALS, "admin");
> // Specify realm
> env.put( "java.naming.security.sasl.realm", "example.com" );
>
> // Request privacy protection
> env.put( "javax.security.sasl.qop", "auth-conf" );
> ...
>
> and I upload my server.xml, if it can help.
>
> Any suggestion?
>
>
> Nowhere wrote:
>>
>> Hi all,
>> I don't know if this is the right place, but I have a problem connecting
>> my ApacheDS using DIGEST-MD5:
>>
>> i wrote a simple java class that works fine with simple authentication.
>> Here it's:
>> public static void main(String[] args) throws NamingException {
>>
>> if (args.length < 2) {
>> System.err.println("Usage: java AdvancedBindDemo <uid>
>> <password>");
>> System.exit(1);
>> }
>>
>> Hashtable env = new Hashtable();
>> env.put(Context.INITIAL_CONTEXT_FACTORY,
>> "com.sun.jndi.ldap.LdapCtxFactory");
>> env.put(Context.PROVIDER_URL, "ldap://localhost:10389/");
>> env.put(Context.SECURITY_AUTHENTICATION, "simple");
>> env.put(Context.SECURITY_PRINCIPAL,
>> "cn=admin,dc=example,dc=com");
>> env.put(Context.SECURITY_CREDENTIALS, "admin");
>>
>> ...
>>
>> But if a replace "env.put(Context.SECURITY_AUTHENTICATION, "simple")"
>> with env.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5") and sends pwd
>> in clear or encrypted it sends me the following error:
>>
>> [LDAP: error code 49 - INVALID_CREDENTIALS: DIGEST-MD5: cannot acquire
>> password
>> for cn=admin,dc=example,dc=com in realm : example.com]
>>
>> I've tried (by Apache Studio ) to set password for
>> "cn=admin,dc=example,dc=com" both in clear text then using MD5..
>> What's wrong? Something in my server.xml? If you need it, let me knom!
>> I hope someone can help me, i'm a newbie in LDAP authentication!
>> Thanks in advance!
>>
> http://www.nabble.com/file/p22076693/server.xml server.xml
>
http://www.nabble.com/file/p22077027/AdvancedBindDemo.java
AdvancedBindDemo.java
--
View this message in context: http://www.nabble.com/ApacheDs---DIGEST-MD5-tp22076098p22077027.html
Sent from the Apache Directory Project mailing list archive at Nabble.com.
Re: ApacheDs - DIGEST-MD5
Posted by Nowhere <sp...@gmail.com>.
Hi, here I'm again...was I mistake of mine, It doesn't work with DIGEST-MD5
(I left "simple" in my previous test) :(
I repeat the not working configuration:
env.put(Context.INITIAL_CONTEXT_FACTORY,
"com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldap://ldap.example.com:10389/");
env.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5");
env.put(Context.SECURITY_PRINCIPAL, "uid=admin,dc=example,dc=com");
env.put(Context.SECURITY_CREDENTIALS, "admin");
// Specify realm
env.put( "java.naming.security.sasl.realm", "example.com" );
// Request privacy protection
env.put( "javax.security.sasl.qop", "auth-conf" );
...
and I upload my server.xml, if it can help.
Any suggestion?
Nowhere wrote:
>
> Hi all,
> I don't know if this is the right place, but I have a problem connecting
> my ApacheDS using DIGEST-MD5:
>
> i wrote a simple java class that works fine with simple authentication.
> Here it's:
> public static void main(String[] args) throws NamingException {
>
> if (args.length < 2) {
> System.err.println("Usage: java AdvancedBindDemo <uid>
> <password>");
> System.exit(1);
> }
>
> Hashtable env = new Hashtable();
> env.put(Context.INITIAL_CONTEXT_FACTORY,
> "com.sun.jndi.ldap.LdapCtxFactory");
> env.put(Context.PROVIDER_URL, "ldap://localhost:10389/");
> env.put(Context.SECURITY_AUTHENTICATION, "simple");
> env.put(Context.SECURITY_PRINCIPAL, "cn=admin,dc=example,dc=com");
> env.put(Context.SECURITY_CREDENTIALS, "admin");
>
> ...
>
> But if a replace "env.put(Context.SECURITY_AUTHENTICATION, "simple")" with
> env.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5") and sends pwd in
> clear or encrypted it sends me the following error:
>
> [LDAP: error code 49 - INVALID_CREDENTIALS: DIGEST-MD5: cannot acquire
> password
> for cn=admin,dc=example,dc=com in realm : example.com]
>
> I've tried (by Apache Studio ) to set password for
> "cn=admin,dc=example,dc=com" both in clear text then using MD5..
> What's wrong? Something in my server.xml? If you need it, let me knom!
> I hope someone can help me, i'm a newbie in LDAP authentication!
> Thanks in advance!
>
http://www.nabble.com/file/p22076693/server.xml server.xml
--
View this message in context: http://www.nabble.com/ApacheDs---DIGEST-MD5-tp22076098p22076693.html
Sent from the Apache Directory Project mailing list archive at Nabble.com.
Re: ApacheDs - DIGEST-MD5
Posted by Nowhere <sp...@gmail.com>.
Thanks Emmanuel...now it's working fine, I appreciate much your help, made me
glad :)
I was thinking realm was implicit...what a stupid I am!
Have e good day!
Emmanuel Lecharny wrote:
>
> Hi,
>
> On Wed, Feb 18, 2009 at 11:34 AM, Nowhere <sp...@gmail.com> wrote:
>>
>> Hi all,
>> I don't know if this is the right place, but I have a problem connecting
>> my
>> ApacheDS using DIGEST-MD5:
>>
>> i wrote a simple java class that works fine with simple authentication.
>> Here it's:
>> public static void main(String[] args) throws NamingException {
>>
>> if (args.length < 2) {
>> System.err.println("Usage: java AdvancedBindDemo <uid>
>> <password>");
>> System.exit(1);
>> }
>>
>> Hashtable env = new Hashtable();
>> env.put(Context.INITIAL_CONTEXT_FACTORY,
>> "com.sun.jndi.ldap.LdapCtxFactory");
>> env.put(Context.PROVIDER_URL, "ldap://localhost:10389/");
>> env.put(Context.SECURITY_AUTHENTICATION, "simple");
>> env.put(Context.SECURITY_PRINCIPAL, "cn=admin,dc=example,dc=com");
>> env.put(Context.SECURITY_CREDENTIALS, "admin");
>
> You have to define two more element in your configuration :
>
> // Specify realm
> env.put( "java.naming.security.sasl.realm", "example.com" );
>
> // Request privacy protection
> env.put( "javax.security.sasl.qop", "auth-conf" );
>
>
> --
> Regards,
> Cordialement,
> Emmanuel Lécharny
> www.iktek.com
>
>
--
View this message in context: http://www.nabble.com/ApacheDs---DIGEST-MD5-tp22076098p22076520.html
Sent from the Apache Directory Project mailing list archive at Nabble.com.
Re: ApacheDs - DIGEST-MD5
Posted by Emmanuel Lecharny <el...@apache.org>.
Hi,
On Wed, Feb 18, 2009 at 11:34 AM, Nowhere <sp...@gmail.com> wrote:
>
> Hi all,
> I don't know if this is the right place, but I have a problem connecting my
> ApacheDS using DIGEST-MD5:
>
> i wrote a simple java class that works fine with simple authentication.
> Here it's:
> public static void main(String[] args) throws NamingException {
>
> if (args.length < 2) {
> System.err.println("Usage: java AdvancedBindDemo <uid>
> <password>");
> System.exit(1);
> }
>
> Hashtable env = new Hashtable();
> env.put(Context.INITIAL_CONTEXT_FACTORY,
> "com.sun.jndi.ldap.LdapCtxFactory");
> env.put(Context.PROVIDER_URL, "ldap://localhost:10389/");
> env.put(Context.SECURITY_AUTHENTICATION, "simple");
> env.put(Context.SECURITY_PRINCIPAL, "cn=admin,dc=example,dc=com");
> env.put(Context.SECURITY_CREDENTIALS, "admin");
You have to define two more element in your configuration :
// Specify realm
env.put( "java.naming.security.sasl.realm", "example.com" );
// Request privacy protection
env.put( "javax.security.sasl.qop", "auth-conf" );
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com